Security researchers over at Sentinal Labs have discovered a growing number of ransomware gangs using a new tactic which involves partially encrypting the victim’s files, speeding up the encryption process and reducing detection chances simultaneously.
The tactic is intermittent encryption and only encrypts parts of the targeted files. The data is still unrecoverable without the decryption key. Since the decryption isn’t as aggressive, most automated detection tools that use intense IO operations to detect ransomware are likely to fail.
According to Sentinal Labs’ report, the tactic was first employed by LockFile in mid-2021 and has since been adopted by Agenda, Black Basta, ALPHV (also known as BlackCat), PLAY and Qyick to name a few.
Most groups are adding their own twists to the technique as well. For example, Agenda offers intermittent encryption as an optional mode with three different encryption types that either skip a specified number of megabytes, encrypt the first specified megabytes of the file or skip a percentage of the file size.
BlackCat also gives operators different choices when it comes to encryption, similar to Agenda and Qyick’s Go-based encryptor, which works at an ‘unmatched’ speed, as advertised by the group itself on a hacker forum post. PLAY’s implementation breaks the file into two, three or five chunks depending on the file size and encrypts every alternate chunk. Black Basta doesn’t give any choices to the operators as the strain itself decides what to do based on the target file’s size.
The tactic doesn’t have any downsides, meaning experts believe that more gangs will adopt this approach in times to come. That said, the implementation needs to be done correctly to ensure data recovery isn’t easy at the very least. Currently, BlackCat’s implementation seems to be the most sophisticated, while analysts are yet to determine how effective Qyick’s approach is as samples of the ransomware aren’t yet analysed.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.